By ro0ted | March 5, 2015 - 12:24 | Posted in /b/ | 9 Comments
#ro0ted #OpNewblood What the blackhats don’t want you to know: Bypassing Registering 101

Some programs require Key Files for registering the product otherwise you get an evaluation trial. – https://twitter.com/ro0ted/

 

Our target:

2

 

First thing we notice the Register Now box is grayed out. Now second thing to notice when you click import it shows the type of a file it’s looking for and the name. When you reverse engineer, you have to take every little detail in mind.

2

Now we know it’s looking for hpapikey.bin.
So let’s see what happens if we try to make a fake hpapikey.bin file.
Open Notepad or in my case Notepad++:

2

Now save the file as hpapikey.bin
Now try to use that file in the target:

2

2

It’s still grayed out right? Well enter your name:

2

Now you see this:

2

Now click “Continue Evaluating” and see if there should be anything in the About box. Click on the help Menu and choose “About Hpmbcalc” and this pops up:

2

We previewed it and saw what we can do and what we can’t.
Now power up Ollydbg:

2

Open another window in Resource Hacker:

2

If you go to Ollydbg and look through the references you will not find anything. So click the string module in Resource Hacker:

2

What are we looking for? The error we received when trying to register “The register information you have given can’t be verified”
So click view on the top>Find Text:

2

Search the error:

2

We come to this:

2

You see 2076? That’s the number the program uses to push the string.
Re-maximize Olly right click Search for>Constant:

2

Brings this tiny box up:

2

In signed and unsigned type the 2076 and Olly will convert the Hex automatically for you:

2

Press okay and we come here:

2

PUSH Ox81C = Push error now you know.
We do the samething we did to find the correct popup so here in Olly:

2

We see it’s just above the error:

2

Let’s try to breakpoint on 004195FC and change the flag so it doesn’t jump. When the program runs enter you info and your Keyfile and hit “Register” and Olly breaks here:

2

Change flag in registers and press F9:

2

Now click okay and go to the About Screen:

2

Nope still the same. Restart Olly
Set a BP Here:
Why? Because it sets the EAX.

2

You should come here:

2

If you to 00413E00 You’ll see the programs using a crypto to protect the real serial so set a BP there and right click hit assemble enter RETN and press F9 and you’ll see:

2

Register buttons gone and now it’s registered to me.

ro0ted

 


 

 

(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as Malwr.com

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1

Ollydbg on Steroids

Creating Patchers Part 1

Have you supported the gas mask campaign over the years?

Crack to win a gas mask gift pack

How to edit a register me crack me Pre Part 1

Unwinding Delphi Binaries Walk Through if not Preview

Cracking Delphi Part 2

Reversing Timed Trials: Ollydbg Tricks Part 3

Analyzing Adware

Preview Against Debugging

(Visited 671 times, 1 visits today)


  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.

9 Responses to #ro0ted #OpNewblood What the blackhats don’t want you to know: Bypassing Registering 101

  1. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Hackers Disassembler

    […] Bypassing Registering 101 […]

  2. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want u to know | Packing & Crypting, there’s a difference

    […] Bypassing Registering 101 […]

  3. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood The art of unpacking & Covert Debugging

    […] Bypassing Registering 101 […]

  4. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats don’t want you to know: Manually unpacking in Olly

    […] Bypassing Registering 101 […]

  5. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: ASM Injecting pt 3 Crypt against AVs

    […] Bypassing Registering 101 […]

  6. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Reversing your mobile device

    […] Bypassing Registering 101 […]

  7. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know: Infected Machine? Create a memory dump

    […] Bypassing Registering 101 […]

  8. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood You have pictures of your face on the internet right?

    […] Bypassing Registering 101 […]

  9. Pingback: CyberGuerrilla soApboX » #ro0ted #OpNewblood What the blackhats dont want you to know BE: think ur drive is really wiped?

    […] Bypassing Registering 101 […]